We replace syslog or rsyslog with the exotic socklog for improved security: socklog uses ?svlogd which has ?multilog compatible size based log file rotation: your disk gets never filled with logs.

socklog is well integrated into Debian and can be installed as package (could: until stretch).

We prefer to install it as local software instead. although we use the socklog-run package to integrated it into Debian.




Compile socklog

Follow instructions on install and diet libc.




cd /package
curl -OL http://smarden.org/socklog/socklog-$VER.tar.gz
tar xzf socklog-$VER.tar.gz
cd admin/socklog-$VER
echo 'diet -Os gcc -O2 -Wall' >src/conf-cc
echo 'diet -Os gcc -s -Os -pipe' >src/conf-ld

Build Debian package from source


Then follow dsc

Integrate into Debian

Get equivs packages.

dpkg -i ~/progs/equivs/socklog/socklog-surrogate_1.0_all.deb
# Create missing log user
sudo adduser --system --gecos "socklog" --group --disabled-password --disabled-login log
# Remove syslog and set up socklog
dpkg --purge rsyslog
dpkg -i ~/progs/socklog-run_2.1.0-8.1_all.deb

Alternatively - supplant existing Debian binaries

Install standard Debian socklog package:

dpkg --purge rsyslog
apt get install socklog-run

[Compile][] and install socklog with diet libc via slashpackage as local software.

After restarting the services the service run scripts will already use the slashpackage binaries, since these are linked to /usr/local/bin which comes earlier in runits PATH.

sv restart socklog-unix socklog-klog

Install socklog package on Debian stretch

Apparently based on a false bug report the socklog package is not included in Debian stretch. You can get the source files from:


    sudo install -d -m 2775 -o root -g staff /var/lib/supervise

  • Check the service status: sv stat socklog-unix socklog-klog

Syslog vs. socklog

Programs log messages to the socket /dev/log (on Linux). The syslog daemon reads the messages from there and dispatches them to different destinations, by default to the log files like /var/log/{auth,daemon,debug,lpr,mail,user}.log as well as /var/log/syslog(alias /var/log/messages) and /var/log/kern.log. The latter two contain "all essential" log events.

Since log files potencially grow indefinitely, a daily ?cron job runs ?logrotate to discard older entries.

This does not solve the initial problem, though.

socklog – or rather the underlying ?svlogd – rotates log files when they reach a certain size. You can therefore configure the exact size on disk dedicated to log files.

On the other side, with logrotate you decide on the time span of logging history, while the logging time span with socklog depends on your server load.